Tom Marchant wrote:
Ok, I stand corrected. I've seen it posted here that RACF uses
the password as a key to encrypt the userid. It seemed like a
good technique to me. I was surprised at Mr. Schneier's comment
quoted above.
unix password file is publicly readable ... and used a similar technique to obfuscate the password.
however an attack was to get a copy of the password file ... and run thru all
the password guesses, doing the transformation on each password guess ... and
compare it with what was in the file.
That was why it was called password guessing ... since you just couldn't take the password directly from the file.
the countermeasure is the shadow password file ... the publicly readable password file was retained ... but with the password field dummied out ... and the password file with the actual (obfuscated) passwords were hidden away someplace.
the real countermeasure is to make it as hard as possible to obtain the
password file (making it more difficult to efficiently run the guessing
process). The password obfuscation technique is decades old countermeasure
predating efficient, automated guessing strategies.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
